Well played, anonymous hacker. I even respect your lack of political posturing.
For when this gets fixed, right now techcrunch.com is an empty html page that contains <a href="http://nottherealurl.com/ title="rapidshare downloads">rapidshare downloads</a>
Edit: now it is a blank html page that contains only "hi". Someone from HN rehacked it? Or it's about to be fixed.
Looks like it's switching around depending on what backend their load balancer throws you to. It's jumping around for me, which suggests they don't have any session affinity. Interesting, but I guess it's not required for their kind of app.
Techcrunch could be delivered as a PDF. I get it on my Kindle.
Just as most new web sites are not startup companies, most existing web sites are not apps.
The distinction and difference is that a software application helps a user perform manipulation or transformation of data as useful work.
Most websites, despite simple interactivity (e.g. search), are still published as "content" for consumption within a content access application, not for manipulating work|play|creative output.
Yeah, he/she/they definitely should have done this on Wednesday at 10:00 AM (or whenever the Apple event is) if they were looking to cause any sort of damage.
Who ever is behind this is changing the html page, 4 mintues ago it was <a href="http://dupedb.com/ title="rapidshare downloads">rapidshare downloads</a>. Now the source says "hi". Strange times.
Hope they have backups and don't loose data. As much as I hate that their quality has gone down, I hate to see someone's hard work get killed by something like this.
(Yes, my blog is currently hosted at wordpress.com, but I'm evaluating Jekyll as part of the next round of server migrations. I started with wordpress.com years ago when I didn't want to run WP on my own server, but wanted the ease of a blog.)
That's not a bad rule. I've actually been considering using sphinx http://sphinx.pocoo.org/ for my blog reboot. Mostly because I'd like to offer visitors a choice of formats, read bits and pieces on the web or grab the whole thing as a PDF or reasonably priced e-book.
"It's safe because I haven't been hacked yet." Meanwhile, pretty much everyone in the security community running Wordpress on their own sites got hacked via it in 2008-9.
but i feel the hack was done today instead of tomorrow to let them know the hackers displeasure on something.
but not to really hit them when it matters... (which is tomorrow for apple presentations )
maybe its just a warning perhaps.
I am sure techcrunch is working on this...
wordpress systems are pretty stable but all systems have a loophole.. on many systems, you can't avoid the hacking because it is the human errors (or negligence)
Yes, I'm aware of that. However, it's not for any of the relevant parties in this story (TC, HN, Apple), and the Apple event is a fixed number of hours away, regardless of what time zone you're in, and that number of hours is sufficient that the event is not "tomorrow". Or I'm up way too late and not thinking clearly :)
This was no automated attack. The page was updated with a series of what could only be hand written messages as TC tried to overwrite what the hacker was uploading. At one point the whole page turned to "o_O".
At one point, the source said <!-- WP Super Cache is installed but broken. The path to wp-cache-phase1.php in wp-content/advanced-cache.php must be fixed! -->
Visitors should be awake that visiting tc.com rightnow is equivalent to visiting an suspicious, untrustred site. It could serve malicious content that takes advantage of unknown vunerabilities even on fully patched systems... although i'd hope the hn audience is savvy enough to know this.
How about hackers everywhere give up on reclaiming this term. It's not going to happen. That way I don't have to see this post on every single story about malicious intrusion that comes up on social news sites.
I appreciate that whoever runs the site can call it whatever they like, but I wish they hadn't chosen 'Hacker News'. I know that it's my own prejudices at play here but it's simply embarrassing to have 'Hacker News' staring out from the top of my browser window. It's so ridiculous I can't even bring myself to say it, when I discuss links with a friend who also checks this site the conversation starts with 'did you see that article about X on the, er, the YCombinator news site?'.
Also note that it's possible for a single word to have multiple meanings depending on context, this includes even opposite meanings with opposite connotations. In the context of news.yc.com the term "hacker" generally has a different meaning than the term has elsewhere, especially in the context of unauthorized, malicious intrusion into a computer system.
Similarly a term such as "killer" may have an extremely negative connotation in the context of a grisly homicide yet the same word may have a positive connotation and a completely different meaning (dominant, superlative, desirable) in other connotations. Such is the dynamic, flexible, and adaptive nature of language (outside the realm of the pedant).
Main Entry: hack·er
Pronunciation: \ˈha-kər\
Function: noun
Date: 14th century
1 : one that hacks
2 : a person who is inexperienced or unskilled at a particular activity <a tennis hacker>
3 : an expert at programming and solving problems with a computer
4 : a person who illegally gains access to and sometimes tampers with information in a computer system
Three out of four possible Merriam-Webster definitions are negative.
Only the 4th one seems negative to me... 1) is neutral (since hack has atleast 1 +ve meaning), is positive and 2) is as similar to inexperienced/unskilled whose connotation is context dependent(imho)
So at first glance and with limited info... it's a plugin. Not that this surprises me, I still use vBulletin and I spend a lot of time code-reading the plugins for that before I use them. Mostly to make sure they don't do silly things like have SQL inside a loop over potentially lots of items, but also for the obvious security holes.
phew I don't feel bad now. I wrote a HTML preprocessor in 1999 to allow PHP-like embedding of Perl in webpages. It did the equivalent of register globals. I still have it up on my website but with a big warning that says "this has known security issues, don't use it". At least someone else made the same mistake around that time :)
118 comments
[ 3.6 ms ] story [ 164 ms ] threadFor when this gets fixed, right now techcrunch.com is an empty html page that contains <a href="http://nottherealurl.com/ title="rapidshare downloads">rapidshare downloads</a>
Edit: now it is a blank html page that contains only "hi". Someone from HN rehacked it? Or it's about to be fixed.
Just as most new web sites are not startup companies, most existing web sites are not apps.
The distinction and difference is that a software application helps a user perform manipulation or transformation of data as useful work.
Most websites, despite simple interactivity (e.g. search), are still published as "content" for consumption within a content access application, not for manipulating work|play|creative output.
http://jekyllrb.com/
(Yes, my blog is currently hosted at wordpress.com, but I'm evaluating Jekyll as part of the next round of server migrations. I started with wordpress.com years ago when I didn't want to run WP on my own server, but wanted the ease of a blog.)
but i feel the hack was done today instead of tomorrow to let them know the hackers displeasure on something. but not to really hit them when it matters... (which is tomorrow for apple presentations )
maybe its just a warning perhaps.
I am sure techcrunch is working on this...
wordpress systems are pretty stable but all systems have a loophole.. on many systems, you can't avoid the hacking because it is the human errors (or negligence)
Now, how long til we get Arrington's spin?
The html: <title>LOL HACKED</title>
<center><h1><b>WHAT A FUCKING USELESS HACK ISN'T IT? BLEH.</b></h1></center><br>
<h1><a href="http://dupedb.com/ title="rapidshare downloads">http://dupedb.com/</a></h1><br>;
Surely that's the case every day???
LMFAO
Someone needs to find a sense of humor.
Similarly a term such as "killer" may have an extremely negative connotation in the context of a grisly homicide yet the same word may have a positive connotation and a completely different meaning (dominant, superlative, desirable) in other connotations. Such is the dynamic, flexible, and adaptive nature of language (outside the realm of the pedant).
1 : one that hacks 2 : a person who is inexperienced or unskilled at a particular activity <a tennis hacker> 3 : an expert at programming and solving problems with a computer 4 : a person who illegally gains access to and sometimes tampers with information in a computer system
Three out of four possible Merriam-Webster definitions are negative.
If you can place a .php file in the plugins directory located here: http://www.techcrunch.com/plugins/
And then if you call the script as per your example, then it appears that plugin is loaded (and evaluated).
Someone else more versed in PHP might want to cast their eyes over the wordpress plugin to see whether I'm right: http://wordpress.org/extend/plugins/wp-super-cache/
But it appears it's a case of globals not being checked prior to use: http://php.net/manual/en/security.globals.php
So at first glance and with limited info... it's a plugin. Not that this surprises me, I still use vBulletin and I spend a lot of time code-reading the plugins for that before I use them. Mostly to make sure they don't do silly things like have SQL inside a loop over potentially lots of items, but also for the obvious security holes.
register_globals is an old one though, should be disabled: http://drupal.org/node/222343
I hope they go for the radical openness option and do a full public post-mortem. A teachable moment like this should not be wasted.
register_globals was known to be a bad idea in 1999 for crying out loud.
There's not even a valid reason to turn that setting on, with legacy not even being an excuse.
Apparently few Apache 1.x installations use to send this header as part of some fix for few versions Netscape.
Edit: TC seems to acknowledge the hack now. Also, the header X-Pad is missing now.
"Earlier tonight techcrunch.com was compromised by a security exploit.
We're working to identify the exploit and will bring the site back online shortly."
Will be interesting to hear the details. TC has done a lot to secure their site, but they were using WordPress.